If you do any offensive security work, your browser history is a graveyard of single-purpose tools: a base64 site here, a JWT decoder there, a hash identifier on some ad-covered page that definitely logs everything you paste into it.
That last part always bothered me. Half the "free online security tools" out there are a server-side eval() with a privacy policy. You paste a payload, a session token, a customer's data you're testing with — and you have no idea where it goes.
So I built Payload Playground: 73 security tools and 35 payload generators that run 100% in your browser. No backend processing. Open the network tab and watch — when you hash a string or decode a JWT, nothing leaves the page.
What's in it
A few things I reach for constantly:
- Cipher Decoder — auto-detects classical ciphers (Caesar brute force, Vigenère, ROT13/47, Atbash, Rail Fence, Bacon, Morse, A1Z26, XOR brute force). Built for CTF "what is this encoding" moments.
- Payload generators — XSS, SQLi, SSRF, SSTI, command injection, LFI, XXE, NoSQLi, deserialization, and more, with context options and WAF-bypass encodings.
- JWT decoder, hash toolkit (HMAC + comparison), encoder/decoder stack, regex tester, CSP evaluator, IP calculator, HTTP request parser — the boring-but-essential utilities, all in one tab.
- Recon helpers — certificate-transparency subdomain search, subdomain wordlist builder, dork generator.
The honest part
It's free — all 73 tools, no account needed. There's a Pro tier ($12/mo) for the AI features (a WAF-bypass payload mutator and an LLM security tester), which is how I keep the lights on, but the core toolkit is the product and it's free.
I'd genuinely love feedback from people who do this daily: what's the one tool you keep a tab open for that I'm missing? What would make this your default?
Top comments (0)